一,firewalld對一個請求會適用哪個zone?
1, 當接收到一個請求時,firewalld具體使用哪個zone?
firewalld是透過三個步驟來判斷的:
-
source,即:源地址
-
interface,即:接收請求的網路卡
-
firewalld.conf中配置的預設zone
通常值為:DefaultZone=public
說明:三個步驟的優先順序順序降低
即:如果透過source匹配到了一個zone,
則不會再使用interface,
如果透過interface匹配到了zone,
則不會再使用預設zone
2, 為什麼會是這樣?這是firewalld的設定,
檢視active-zones
[root@192 ~]# firewall-cmd --get-active-zones
drop
sources: 192.168.7.7
public
interfaces: ens33
trusted
sources: 192.168.8.8
檢視default-zone
[root@192 ~]# firewall-cmd --get-default-zone
public
檢視backend的nftables規則:
chain filter_INPUT_ZONES {
ip saddr 192.168.7.7 goto filter_IN_drop
ip saddr 192.168.8.8 goto filter_IN_trusted
iifname "ens33" goto filter_IN_public
goto filter_IN_public
}
二,firewalld的rich規則執行順序:
1,執行順序
1,日誌規則
2,drop/reject規則
3,accept規則
2,列出所有規則
[root@192 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="13.17.12.210" port port="22" protocol="tcp" accept
rule family="ipv4" source address="13.17.12.210" reject
檢視nftables的規則:
chain filter_IN_public {
jump filter_INPUT_POLICIES_pre
jump filter_IN_public_pre
jump filter_IN_public_log
jump filter_IN_public_deny
jump filter_IN_public_allow
jump filter_IN_public_post
jump filter_INPUT_POLICIES_post
meta l4proto { icmp, ipv6-icmp } accept
reject with icmpx type admin-prohibited
}
這個順序中,就是按 log/deny/allow的順序執行